def admin?; is_admin; end

Basic Solution

#3. bypass RESTful

Reason

Some developer don’t think it’s necessary to use RESTful * all the time.

But..

Rails provide CSRF protection by default

only works you use RESTful design

HTTP 422 for invalid request

Vulnerability

Rails even provide conveninent example!!

# config/routes.rb # This is a legacy wild controller route that's not recommended for RESTful applications.# Note: This route will make all actions in every controller accessible via GET requests.# match ':controller(/:action(/:id(.:format)))'